The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.
While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.
But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).
Clearly it could go well beyond inconvenient. Businesses, households, emergency services, the financial industry and yes, the internet, can’t function without electricity.
That has already been demonstrated on a relatively small scale. Earlier this month, a DDoS attack took down heating distribution in two properties in Lappeenranta, a city in eastern Finland.
The disruption was only temporary, but as local media noted, with below-freezing temperatures, “a long-term disruption in heat will cause both material damage as well as the need to relocate residents elsewhere.”
Also, in a recent paper titled “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” researchers reported that they were able to demonstrate, using Phillips Hue smart light bulbs, “a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction …”
Using the bulbs’ ZigBee wireless connectivity, the researchers said the attack, “can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.”
If that kind of attack could also be used to take down heat, water, sewer, traffic control and other basic services for any length of time, the risks of chaos and physical harm grow rapidly.
As author, blogger security guru and Resilient Systems CTO Bruce Schneier put it in a recent post, “security flaws in these things could mean people dying and property being destroyed."
But could a DDoS attack really cause a long-term disruption of Industrial Control Systems (ICS), which operate or monitor much of the nation’s CI?
Experts have mixed views on the topic. Some say the nation’s ICSs are distinct enough from the consumer IoT that they would not be as vulnerable to a DDoS, while others say those systems are indeed connected enough to be a component of the IoT.
DDoS attacks are nothing new – they have been around for decades and are not considered sophisticated. They work by overloading websites and other internet-connected systems with junk traffic that prevents legitimate traffic from getting through, and can also cause the sites to crash.
What made the Dyn attack relatively unprecedented was its use of millions of “zombie” IoT devices like “smart” cameras, digital video recorders etc. instead of computers. The scale of the attack, at 1.2Tbps was unheard of as recently as a year ago. Now it is the norm, and is expected to increase rapidly.
Meanwhile, the nation’s CI remains notoriously insecure. Earlier this year, the FBI and Department of Homeland Security (DHS) launched a national campaign to warn US utilities and the public about the danger from cyber attacks like the one last December that took down part of Ukraine's power grid.
This past September, at the Security of Things Forum in Cambridge, Mass., a panel of security experts agreed that attackers, likely from hostile nation states, are probably already inside the nation's ICS.
Paul Dant, chief strategist and managing principal at Independent Security Evaluators, said at that discussion that more attacks are inevitable. “To think that stuff is not vulnerable is a complete fallacy,” he said.
Still, some in the industry say a DDoS is not a direct threat to major CI, because ICSs are not a part of the IoT in the way consumer devices are. Ben Miller, director of the Threat Operations Center at Dragos, said while, “at face value (ICSs) may seem similar” to IoT devices, “an industrial controller with input from a thermostat has a vastly different technology stack, use case, evolution, and capability than the Nest (consumer) thermostat on a wall.
“Industrial control system processes generally do not rely on Internet-based services,” he said.
Matt Devost, managing director at Accenture and CEO of FusionX, sees it much the same way. “The DDoS attack is most effective against targets that are inherently dependent on internet communications and the ICS/SCADA (Supervisory Control and Data Acquisition) environment is just not engineered to operate with that sort of dependency,” he said.
According to Gabe Gumbs, vice president of product strategy at Spirion, “the IoT should be strictly defined as consumer-connected devices. Much of critical infrastructure is connected, but it is not consumer-grade technology. Organizations that own things like SCADA systems are invested in securing them, in stark contrast to the consumer end of the spectrum.”
And Robert M. Lee, CEO of Dragos, said while there are still ICS assets on the internet – “too many, to be honest” – a lot of them are not. “These devices are instead forming a network of data and end points that is new and comprehensive in these locations. A DDoS styled attack would not be able to significantly disrupt critical infrastructure sites in the ICS community,” he said.
But Yoni Shohet, cofounder and CTO of SCADAfence said ICSs are, “definitely part of the IoT, since the industry is transforming from physical systems to cyber physical systems. The connectivity between industrial environments and external networks has increased in the past few years. These environments are exposed more than ever to external attacks.”
Stewart Kantor, CEO of Full Spectrum, has seen the same thing. “Since we’re seeing critical infrastructure initiating automation efforts through IP-based communications over public cellular data networks to smart devices, it’s becoming part of the broader IoT that incorporates consumer and mission-critical technologies alike,” he said.
But he doesn’t entirely disagree with those who say ICS is not part of the IoT, since some utilities have detached from the public internet through the creation of, “their own separate and private IoT using software-defined radio technology over a private network that is owned and operated exclusively by the utility.”